Foundations of Cryptography

Transcription

1 Foundations of Cryptography Ville Junnila Department of Mathematics and Statistics University of Turku 2015 Ville Junnila Lecture 7 1 of 18

2 Cosets Definition 2.12 Let G be a group, H G and a G. Then we have the following definitions: ah = {ah G h H} is the left coset of H in G defined by a and Ha = {ha G h H} is the right coset of H in G defined by a. Theorem 2.9 Let H be a subgroup of G. Then for any a, b G the following statements are equivalent: 1 ah = bh, 2 a bh, i.e., a = bh for some h H and 3 b 1 a H. Ville Junnila viljun@utu.fi Lecture 7 2 of 18

3 Cosets Definition 2.13 If H G, then the set of all cosets of H is denoted by G/H. Theorem 2.10 Let H G. 1 Each element of G belongs to exactly on left coset of H. 2 If G is finite, then each left coset has the same number of elements. 3 The subgroup H itself is a coset; H = 1 H. Ville Junnila viljun@utu.fi Lecture 7 3 of 18

4 Cosets Theorem 2.11 (Lagrange s theorem) Let G be a finite group and H G. If the number of left cosets of H is i, then we have G = i H. In particular, G is divided by H. Example Let G be a finite group with 21 elements. Consider the possible orders of subgroups of G. Ville Junnila viljun@utu.fi Lecture 7 4 of 18

5 Order of group element Definition 2.14 Let G be a group. If a G is such that a k 1 G for all k Z \ {0}, then the order of a is infinite. Otherwise, the order of a G is the smallest positive integer n such that a n = 1 G. Theorem Let G be a finite cyclic group, G = c. If n is the smallest positive integer such that c n = 1 G, then G = n and G = {1, c, c 2,..., c n 1 }. Theorem 2.12 Let G be a group and a G. The order of a is equal to the order of a = {a k k Z}. Ville Junnila viljun@utu.fi Lecture 7 5 of 18

6 Order of group element Theorem 2.13 Let G be a finite group and a G. Then the order of a G divides G since a divides G by Lagrange s theorem. Therefore, Example a G = 1 G. Consider the group (Z 25, ). Determine the order of 2 Z 25. Ville Junnila viljun@utu.fi Lecture 7 6 of 18

7 Order of group element Theorem 2.14 (Euler s theorem) Considering the group (Z n, ), we have a ϕ(n) = 1 for all a Z n. In other words, for all a Z such that gcd(a, n) = 1, we have a ϕ(n) 1 (mod n). Theorem 2.15 (Fermat s little theorem) If p P and a Z is not divisible by p, then a p 1 1 (mod p). Ville Junnila viljun@utu.fi Lecture 7 7 of 18

8 Rings Definition 2.15 A triplet (R, +, ) is called a ring, if + and are binary operations defined over R and the following conditions hold: Re1 (R, +) is an abelian group (the additive group of the ring) Re2 a(bc) = (ab)c multiplication) a, b, c R (the associativity of Re3 there exists 1 R such that 1 a = a 1 = a element or identity element of the ring) Re4 a(b + c) = ab + ac; (a + b)c = ac + bc (distributivity). a R (unit a, b, c R If multiplication is also commutative, i.e., ab = ba a, b R, we call R a commutative ring. Remark The unit element 1 of the ring is unique. Ville Junnila viljun@utu.fi Lecture 7 8 of 18

9 Rings Example 2.11 Each of the sets Z, Q and R form a commutative ring under the usual + and. Example 2.12 (Polynomial ring) The set of polynomials R[x] = {a o + a 1 x + + a n x n n 0, a k R (k = 0, 1,..., n)} with the operations (f, g R[x]) (f + g)(x) = f (x) + g(x) and (fg)(x) = f (x)g(x) for all x R is a commutative ring. Similarly, Z[x] and Q[x] are commutative rings. Ville Junnila viljun@utu.fi Lecture 7 9 of 18

10 Rings Example 2.13 (Quotient ring or residue class ring) The set Z m is a commutative ring under the following + and : a + b = a + b and a b = ab. The zero element is 0 and the unit element 1. The ring is finite and commutative. Definition 2.16 Let R be a ring. A subset I R is an ideal in R if I1 (I, +) is a subgroup of (R, +), I2 ra I for all r R and a I, and I3 ar I for all r R and a I. Ville Junnila viljun@utu.fi Lecture 7 10 of 18

11 Ideals Example Consider the ring (Z, +, ). Let us show that m = mz is an ideal of Z. Example 2.14(a) Consider the polynomial ring (R[x], +, ). Let us show that is an ideal in R[x]. I = {p(x) R[x] p(0) = 0} Ville Junnila viljun@utu.fi Lecture 7 11 of 18

12 Ideals Example 2.14(c) Let us show that I = {a m x m + a m+1 x m a n x n R[x] n m} is an ideal in R[x]. Definition If S 1, S 2,..., S k are subsets of a ring R, then S 1 + S S k = {r 1 + r r k r i S i }. Ville Junnila viljun@utu.fi Lecture 7 12 of 18

13 Ideals Theorem 2.16 Let R be a ring. 1 If I and J are ideals in R, then I + J is an ideal. Generally, if I 1, I 2,..., I n are ideals in R, then I 1 + I I n is an ideal. 2 If I and J are ideals in R, then I J is an ideal. Generally, if I i (i I) are ideals in R, then the intersection i I I i is an ideal. Definition (Generating an ideal) Let R be a ring. A subset S R generates an ideal S = I, S I where I goes through all such ideals in R. Indeed, by Theorem 2.16, S is an ideal. Ville Junnila viljun@utu.fi Lecture 7 13 of 18

14 Ideals Remark The ideal S is the smallest one including S, i.e., if J is an ideal such that S J, then S J. Definition If S is a finite set, say S = {a 1, a 2,..., a k }, then we denote S = a 1, a 2,..., a k and say that the ideal S is finitely generated. An ideal generated by one element, say a, is called a principal ideal. Example 2.15 The trivial ideals R and {0} are principal ideal since R = 1 and {0} = 0. Ville Junnila viljun@utu.fi Lecture 7 14 of 18

15 Ideals Example 2.16 The ideals of the ring Z are principal ideals m = mz (m 0) (by Theorem 2.6). Example 2.17 Consider the principal ideal x m in the polynomial ring R[x]. By the definition of ideal, p(x)x m x m for any p(x) R[x]. Therefore, the ideal (of Example 2.14(c)) I = {a m x m + a m+1 x m a n x n R[x] n m} is such that I x m. Since x m I, then by the minimality of x m, we have x m I. Thus, I = x m. Ville Junnila viljun@utu.fi Lecture 7 15 of 18

16 Ideals Theorem 2.17 If R is a commutative ring, then for any a 1, a 2,..., a k R we have a 1, a 2,..., a k = {r 1 a 1 + r 2 a r k a k r i R}. Ville Junnila viljun@utu.fi Lecture 7 16 of 18

17 Quotient ring Remark Let (R, +, ) be a ring and I an ideal in R. Recall that I R under the addition +. Hence, we may consider the cosets a + I in the group (R, +). Recall that R/I denoted the set of all cosets. Theorem 2.18 Let (R, +, ) be a ring and I an ideal in R. The equations (a + I ) + (b + I ) = (a + b) + I and (a + I )(b + I ) = ab + I give well-defined binary operations from R/I R/I to R/I that form a ring (R/I, +, ). Ville Junnila viljun@utu.fi Lecture 7 17 of 18

18 Quotient ring Remark Recall that if I is an ideal in a ring R, then (I, +) is a subgroup of (R, +). Theorem 2.9 Let H be a subgroup of G. Then for any a, b G the following statements are equivalent: 1 ah = bh, 2 a bh, i.e., a = bh for some h H and 3 ab 1 H. Example Consider the ring (Z/3Z, +, ). Ville Junnila viljun@utu.fi Lecture 7 18 of 18